pageok
pageok
pageok
Thoughts on the Legality of the Latest NSA Program:
Assuming that the newly-disclosed NSA surveillance program was described accurately in the USA Today story, is this program legal? Here is a very preliminary run down of the issues. It's not as complete as I would like, and it's not something I have thought about as much as I would like before posting. But my grades are due very soon, and unfortunately I can't spend as much time on this as I would normally like to spend. I hope this post is at least a helpful start.

  The legality of the program touches on at least five laws: the Fourth Amendment, the Pen Register statute, the Stored Communications Act, FISA, and the Communications Act.

  1) The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn't implicate the Fourth Amendment under Smith v. Maryland.

  2) The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute "electronic surveillance" under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA's definition of "electronic surveillance" goes beyond accessing only content information and extends to some non-content information. If the program did involve "electronic surveillance" under FISA, then we're right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that's right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.

  3) The next question is, did the monitoring violate the Pen Register statute, and in particular the prohibition of 18 U.S.C. 3121? To boil down a complex area of law into a sentence, federal surveillance law calls any means of surveilling non-content telephone or Internet information a "pen register" or "trap and trace device." Section 3121 then bans using such a device unless the government has a court order (either through the criminal investigative authorities or national security law authorities) or an exception to the statute applies. The exceptions in the statute don't seem applicable here: They mostly involve monitoring to provide better service for the telephone company.

  The USA Today story suggests that Qwest wanted the government to obtain a court order for the monitoring, and that the government refused because they concluded that the FISA court might not grant the order. The court order they are referring to is probably the FISA pen register order. Under 50 U.S.C. 1842, the Attorney General or his designate needs to approve the request for such an order, and must certify "that the information likely to be obtained . . . is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution." The order would then need to be renewed every 90 days under 50 U.S.C. 1842(f).

  The legal threshold for a FISA pen register order is low: relevance to an ongoing investigation is a pretty easy standard to satisfy. At the same time, obtaining an order for this kind of monitoring would raise an issue that I have wondered about but I don't think I know how to answer: Does FISA's pen/trap authority in 50 U.S.C. 1842 permit the government to conduct massive-scale monitoring, or must monitoring be limited to a specific set of persons or accounts? When the USA Today story says that the government didn't think the order would be granted by the FISA court, I gather they are saying that the FISA court judges didn't think the FISA pen/trap authority permitted such massive scale monitoring. That sounds like a sensible conclusion: I would guess that the FISA judges wouldn't interpret the FSIA pen/trap authority as permitting such massive scale monitoring (in that it trumps the need for any individual orders, which would be odd).

  4) The next possible statute is the Stored Communications Act (SCA), and in particular the prohibition on disclosing records relating to wire communications to a government entity found in 18 U.S.C. 2702(a)(3). It's not clear to me that the SCA applies: the SCA was designed to deal with one-time disclosure of stored communications and records, not real-time collection and repeated disclosure. At the same time, the statute doesn't have an explicit exception for real time collection, so it's at least plausible that it does apply. If it applies, disclosure is permitted only if an exception to the statute covers this. I don't think that any of the exceptions apply, though: the emergency exception of 18 U.S.C. 2702(c)(4) seens to be the closest, but this doesn't sound like there was an "immediate danger" here. This was an ongoing program, not a program responding to a sudden emergency.

  5) A fifth possible statute, and one mentioned in the USA Today story, is the Communications Act of 1934, 47 U.S.C. 222. I have generally thought that the statutes discussed above trump this statute, but the USA Today story mentions it. In any event, I don't know much about this one, as it's a telecom statute and I don't normally play in that sandbox. So I'll punt on this one for now.

  To summarize, my very preliminary sense is that there are no Fourth Amendment issues here but a number of statutory problems under statutes such as FISA and the pen register statute. Of course, all of the statutory questions are subject to the possible argument that Article II trumps those statutes. As I have mentioned before, I don't see the support for the strong Article II argument in existing caselaw, but there is a good chance that the Administration's legal argument in support of the new law will rely on it.

  (cross posted at OrinKerr.com)
Medis:
One initial thought/question on the 3121 issue: if the phone company is using the device or process in question for a permissible purpose, but then also passes the resulting records on to the government, is the government itself "using" the device?

Of course, such a description would also seem to place the phone company's actions squarely within 2702.
5.11.2006 1:46pm
The Original TS (mail):
The key point here is that this program is not government "surveillance." These records are already gathered and stored by the phone companies in the normal course of business. There are, therefore, no Fourth Amendment implications, nor does the Pen Register statute apply. FISA might apply but only with respect to legalizing the phone companies's disclosure of its business records, not to the government's actions in obtaining the records.

The crux of the issue is 18 USC sec. 2702 subdivisions (a)(3) and (c) which governs divulging customer records. and section 2703 which governs warrants for customer records. Oddly enough, it is not entirely clear whether section 2703 allows FISA warrants or not. Subsection (c) provides,

A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity—
(A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant;


Emphasis supplied. FISA warrants are not issued using the procedures in the Federal Rules of Criminal Procedure.

There is also a section authorizing disclosure "when the governmental entity uses an administrative subpoena authorized by a Federal or State statute." I don't think a FISA warrant qualifies there, either.

Ironically enough, the telecoms could have successfully resisted any subpoena for these records. subdivision (c) of section 2703 provides, "A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature . . ."

The real reason the government didn't want to go to the FISA court for a warrant might well have been that the court would have abjurred jurisdiction. Even if it didn't, any telecom that did not want to comply could likely have resisted the warrant, even assuming the FISA court would have issued one for this program in the first place.

The bottom line here is that the government did not do any "surveillance" here. They asked a non-government actor to voluntarily turn over some business records. True, the non-government actor should not have complied, but that's a different issue. Perhaps the government is guilty of conspiracy to violate section 2702.
5.11.2006 2:13pm
Josh_Jasper (mail):
Of course, we're just tupposed to trust that the NSA won't monitor call logs to see if there has been activity between, say, Democratic party fundraisers and candidates, or Greenpeace contributors, and so on.

What bullshit. This *is* going to be used for domestic spying, and then covered up. It probably already has been. If you trust the NSA on this, you're just as big an isiot as the people who trust that Iran is persuing a nuclear program for peaceful uses.
5.11.2006 2:22pm
Steve Brady (mail) (www):
As far as Article II goes, even if you accept the Vesting Clause Thesis and find that electronic surveillance for obtaining foreign intelligence information is an executive power (and most circuit courts to rule on the matter have gone this way), I still think you would need to make a further jump to find executive power here.

"Creating a database of every domestic call ever in order to study calling patterns" - is that an executive power?
5.11.2006 2:33pm
OrinKerr:
Original TS,

Can you cite your authority for the proposition that the Pen Register statute does not apply? It is a criminal statute that applies to both the government and the private sector. The fact that the data is on the network doesn't mean that it's not a pen register violation for it to be recorded: See the statute itself. I'd be interested in your legal argument beyond its conclusion.
5.11.2006 2:43pm
Al Maviva (mail) (www):
On the Pen Register point, Orin, I'd argue that if you track live calls, this information seems to fit within the definition of Pen Register. In contrast, if the calls have been made and the electronic file recording of equivalent data is sought, that is more in the nature of a business record, analogous to a phone bill showing numbers dialed, duration and fees. I'm not sure if that holds up, but I think that's the strongest argument for it not being a Pen Register.
5.11.2006 2:55pm
JunkYardLawDog (mail):
Doesn't the Patriot Act provide for business records surveillance gathering that doesn't require a warrant. These records would be business records under the Patriot Act.

Says the "Dog"
5.11.2006 3:15pm
Jam (mail):
Can the government then use those records in a criminal case and as "probable cause" for warrants?

What good is a right if "regulations" sidesteps those rights?
5.11.2006 3:24pm
Jam (mail):
Oh, well. Nothing can be done to constraint the government anyways. The government grants itself the authority to decide the limits of its own authority by choosing determining/interpreting its own, empowering, law.



The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers security clearance.
(snip)

The Republic is dead. What we have is a RICO.
5.11.2006 3:30pm
Jam (mail):
here is the missing link to the article:
CNN article
5.11.2006 3:32pm
Medis:
I'm not sure to what JYLD is referring, but if it is Section 215 of the USA-PATRIOT Act, that section only authorizes collection of business records pursuant to a FISA order.
5.11.2006 3:33pm
Bruce Hayden (mail) (www):
FISA is interesting here. The non-content provision would seem to require a FISA warrant if a warrant would otherwise be required. But then the 4th Amdt. apparently wouldn't require a warrant here, so, at that juncture, it would seem that FISA would not apply. But then, 18 U.S.C. 3121 would seem to require a warrant, and, thus, FISA is back in play.

As all know here, I don't think that the other NSA program is illegal, though I know that others here, notably Medis, are of the opposite opinion. Part of my opinion is based on the president's Article II powers. But they are much more easily implicated in that program than they are in this one. By the evidence so far, this is almost purely domestic, and would be more akin to the Youngstown case than would (IMHO) the original NSA program, which deals with international calls. In other words, it is in my view the international aspect of the first program that is missing in the second that I believe allows the President's power to trump that of Congress in the first.
5.11.2006 3:34pm
Josh_Jasper (mail):
And of course, I misspelled 'idiot'

I plead migraine :-)
5.11.2006 3:54pm
Jam (mail):
Don't forget "tupposed."

The keyboard is a hard taskmaster.

I know we all do better when communicating vocally ;)
5.11.2006 4:10pm
margate (mail):
Orin:

FWIW, I'm struck by how few comments your post mustered today. In December, when the domestic surveillance story broke, your posts prompted a whirlwind of comments . . . and passionate comments at that.

Today, the comments stike me as almost melancholy. Interesting.
5.11.2006 4:13pm
theo (mail):
Al Maviva,

Your "business record" vs. pen register distinction makes no sense, since by your definition any pen register would be legal so long as it's updated one millisecond after a call is completed.

Therefore, I suspect you must be repeating some radical right-wing talking point.

Section 18 of the United States Code defines a pen register as:

a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.

(via Wikipedia).

The NSA, which is neither the provider nor the customer, nor is it involved in billing, nor is anything in this authoritarian sweep part of the "ordinary course of business."
5.11.2006 4:16pm
The Original TS (mail):
Can you cite your authority for the proposition that the Pen Register statute does not apply?

Sorry for the cursory analysis, but it's a busy day.

18 USC 3121(b)(1) provides an exception for the telecom operator. As authorized by that exception, the operator is gathering all this info anyway for billing purposes. Thus, the existence of the call data itself does not violate the act.

Essentially, the government asked the telecoms to turn over everyone's phone bills (sans, apparently, customer information.) Since the statute only covers the "installation or use" of a pen register and since the pen register was installed and used by the phone companies in compliance with the act, voluntarily turning over information gathered from the pen register to the government doesn't violate the act. As I noted above, section 2702 addresses the protection of customer records once they have been legitimately generated.
5.11.2006 4:17pm
DG:
Orin:

18 USC 3127(3) defines "pen register" as:

a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business


If the USA Today article is correct, the NSA did the following:

The agency told the companies that it wanted them to turn over their "call-detail records," a complete listing of the calling histories of their millions of customers. In addition, the NSA wanted the carriers to provide updates, which would enable the agency to keep tabs on the nation's calling habits.


The phone companies aren't using "pen registers" because they fall under the business use exception. Nor is the NSA, because it is merely requesting the legally maintained records. NSA hasn't used any "device or process" that "records or decodes" anything. They're not monitoring anything in real-time, just getting periodic chunks of data from the phone companies.

As commenter The Original TS suggests, the proper focus is on the law governing voluntary disclosure of customer records.
5.11.2006 4:20pm
A.S.:
On the 3121 issue, I think Medis asks the relevant question. Seems to me that Orin may be incorrect when he writes that the "exceptions in the statute don't seem applicable here". The exception in (b) seems relevant: the prohibition "does not apply with respect to the use of a pen register or a trap and trace device by a provider of electronic or wire communication service—
(1) relating to the operation, maintenance, and testing of a wire or electronic communication service". Isn't the information gathered by the carrier for the "operation" of the service? Seems to me it is, since that seems to me to be the infomration needed by the carrier for billing, although the USAT article doesn't give much information.

Accordingly, the carriers legally gather the information through the use of the device. I don't see anything in the statute that says that the legally gather information cannot then be voluntarily turned over to the government (and we know it is voluntary since Qwest refused).
5.11.2006 4:22pm
Jam (mail):
Margate.

It is a planned tactic. Disclose early a lesser problem, deny that it is really a problem, hint at something else while denying it and then, later, disclose what was initially denied.

If enough noise is heard, it is termed "old news," and we just need to move on. Too many people forget about it or are labeled "tin-foil hats."

All of this intrusions into our lives is for our good and safety.

It is a way to "slow boil" the mythological frog.
5.11.2006 4:27pm
Jam (mail):
Did the government officials made it clear that it was voluntary and not statutory?
5.11.2006 4:31pm
Medis:
So suppose the phone companies were violating the law by voluntarily providing these records to the government. Does anyone know of law applicable to the government asking a private party to do something illegal on its behalf?
5.11.2006 4:36pm
A.S.:
While I was typing, Original TS posted (at 3:17) what I was also trying to say. I think he is right.

Let me add, though, to Original TS's discussion of 18 USC 2702:

2702(b)(2) provides the exception Original TS is looking for for FISA-authorized activities. 2702(b)(2) excepts from the prohibitions in 2702(a) disclosures of customer records that are "otherwise authorized in section 2517, 2511(2)(a), or 2703 of this title". 2511(2)(a) is FISA - and allows discosure of records if:


"(ii) (A) a court order directing such assistance signed by the authorizing judge [I presume this means a FISA judge], or (B) a certification in writing by a person specified in section 2518(7) of this title or the Attorney General of the United States that no warrant or court order is required by law, that all statutory requirements have been met, and that the specified assistance is required"


This seems to me to be the genesis of QWest's request for a certification from the Attorney General.
5.11.2006 4:40pm
The Original TS (mail):
A.S.

I'm not so sure. Subdivision (b) governs the disclosure of the content of a communication. subdivision (c) governs the disclosure of customer records. Section 2703 appears to be the only section that authorizes turning over customer records pursuant to a warrant.

Let's not forget in this discussion that no court -- not even the FISA court -- in the United States would dream of issuing a warrant for this program. This program is the ultimate fishing expedition. It's exactly the kind of thing that the warrant requirement is meant to prevent.

Maybe the government should have access to this info, maybe it shouldn't. But there is no way to shoehorn a government demand for this information under existing law. They can't get this through the courts. That's why they didn't try. They need to go to the legislature, instead.
5.11.2006 4:59pm
DG:
Ah, I see TS beat me to the punch. In any case, the phone companies might offer the following defenses to a 2702(a)(3) claim:

1) They haven't disclosed any "record or other information pertaining to a subscriber" under 2702, perhaps because the data does not identify the name of the subscriber (it sounds like they just gave a list of phone numbers). I don't see a definition for "record," so it's hard to say whether that argument will fly.

2) They fit under one of the exceptions in 2702(c). Maybe the subscriber contracts authorize disclosure ((c)(2)). Maybe we're in a perpetual state of emergency ((c)(4)).

3) They are exempt under 2709, which requires disclosure pursuant to a National Security Letter. The NSLs, though, must be certified by the Director of the FBI or his designee. It doesn't sound like the FBI was involved, and I don't imagine that the NSA director has his own independent authority to issue these NSLs.

There's an interesting discussion of the background of 2709 in Doe v. Ashcroft, 334 F. Supp. 2d 471 (which ultimately found the provision to be unconstitutional):

Before the ECPA, the FBI had been issuing non-mandatory NSLs to communications providers, who, in most cases, complied voluntarily. n29 However, because carriers in states with strict privacy laws had recently been resisting those requests, the FBI sought to have mandatory, preemptive federal legislation supporting its issuance of NSLs.
5.11.2006 5:05pm
Al Maviva (mail) (www):
DG - thanks for having the appropriate statutory cite at hand and for stating it better than I did.

Theo - I guess you inferred that I am mindlessly and rabidly parotting Karl Rove's talking points based on this adamant and vehement statement, included in my comment above: "I'm not sure if that holds up, but I think that's the strongest argument for it not being a Pen Register." Yeah, that's a pretty confident recitation of a canned talking point there, huh?
5.11.2006 5:13pm
DryHeat (mail):
As I understand the "it's not a pen register" argument, the idea is that the phone company has this information (records of calls) already, so it's a business record, not a pen register.

The problem with this argument is that it would make most or all of 18 USC 3121 et. seq. meaningless. One of the canons of statutory construction is that you try to read a statute so that all parts have meaning. This reading just doesn't do that.

The better reading, and the one courts will almost certainly adopt, is that when the information provided by the recording device is used for billing, maintenance, etc., it is not being used as pen register, but when the information is given to law enforcement, it is being used as a pen register.

To hold otherwise would mean that, assuming the phone company has such a device hooked up, it would be illegal for them to allow the feds to hook up an identical device, but legal for them to let the feds wire into the existing one. Ideas that make no sense usually don't prevail.
5.11.2006 5:27pm
A.S.:
To hold otherwise would mean that, assuming the phone company has such a device hooked up, it would be illegal for them to allow the feds to hook up an identical device, but legal for them to let the feds wire into the existing one. Ideas that make no sense usually don't prevail.

This doesn't seem right. It would be illegal for the phone company to allow the feds to hook up an identical device. It also seems to me that it would be illegal for the phone company to "let the feds wire into the existing one", since in that case the federal government would be operating the device (at least if I understand your point correctly). However, it would be legal (at least under 3121, notwithstanding the other statutes) for the phone company to itself use the device and then voluntarily give the records to the government.
5.11.2006 5:45pm
A.S.:
I'm not so sure. Subdivision (b) governs the disclosure of the content of a communication. subdivision (c) governs the disclosure of customer records.

Don't you think it odd that the records in (c) would be protected against disclosure pursuant to FISA but the content in (b) wouldn't be?
5.11.2006 5:53pm
Just an Observer:
A.S: Don't you think it odd that the records in (c) would be protected against disclosure pursuant to FISA but the content in (b) wouldn't be?

No. It appears that the intent of Congress was to prevent the creation of just such a government database as the USA Today story describes.

Except for certain clear and immediate life-threatening emergencies, and a specific exception for tracing child-abuse victims, the telecom providers are prohibited from providing such records "to any governmental entity" at all.

The provision allowing the companies to provide content, 18 USC 2702(b), obviously is there to conform to the specific procedures under Title III and FISA authorizing legal wiretaps.
5.11.2006 6:13pm
DG:
DryHeat, I don't think that's the case at all. The ECPA, which amended the original wiretap act, has three parts: Title I, which regulates interceptions of content (18 USC 2510-2522); Title II, which regulates sharing of stored communications and records (18 USC 2701-2711); and Title III, which regulates pen registers and trap-and-trace devices (18 USC 3121-3127). Here's the way the statute works:

Title III says that no person--except the service provider--can install or use a pen register without a court order. This means that the gov't cannot sneak in and install such a device on its own without a court order, nor can it compel the service provider to do so.

To answer your question, the reason that the gov't can't wire in to an existing pen register is that doing so would be "us[ing]" the register and would be a violation of Title III. I don't think anybody's saying they can do that, nor do I think that's what has actually happened.

Service providers can use pen registers as testing devices to be sure that the customer is getting good service, etc. (18 USC 3121(b)) and for billing purposes (18 USC 3127(3)). They're allowed to retain the information they collect: Title II only prohibits unauthorized access to content, which of course does not apply to the service providers (see 18 USC 2701(c)).

So why don't the cops just ask for a suspect's billing records and completely circumvent Title III?

First of all, I suspect that the cops prefer to have real-time access to a suspect's dialing activity. If they're monitoring a particular person, they don't want to have to wait until his bill comes out to see what numbers he's dialed.

Second, the phone companies might deny the request. The gov't cannot compel the providers to hand over their records without a warrant (18 USC 2703(c)).

Finally, and most importantly, the provider is prohibited from voluntarily providing the records to the gov't (18 USC 2702(a)(3)) except in certain enumerated circumstances (18 USC 2102(c)). The key issue in the present case is whether the phone companies have violated this provision.

Bottom line: Title III isn't meaningless at all when it's read in conjunction with the rest of ECPA.
5.11.2006 7:04pm
Alan3 (mail):
I wonder if the data turned over includes records of unmetered/unlimited calls. If that is the case, it can no longer be said that it was acquired for billing purposes.
5.11.2006 7:26pm
I.I (www):
I'm with the above posters who raise the question of how the law differentiates between government requests and government demands. If there's a criminal case to be made I think it would be much easier to make against the compliant providers than against the NSA, especially with the example of Qwest for contrast. Taking that thought further, though, if it was illegal for the providers to hand over the records in the absence of a warrant then NSA might be culpable for conspiracy or other laws against soliciting/ benefitting from illegal acts.
5.11.2006 7:57pm
The Original TS (mail):
Don't you think it odd that the records in (c) would be protected against disclosure pursuant to FISA but the content in (b) wouldn't be?

Maybe, but I don't write 'em, I just interpret 'em -- and that's what it says.

As one of the other posters points out, there are rationales for treating records and the content of communications differently. For one thing, when you get a FISA warrant, you know, specifically, who you're targeting and why so you don't really need customer records. As noted above, you can't get a FISA warrant for every customer record generated by a phone company anyway.

I think we can draw one pretty solid conclusion from this: MCI and Sprint have really crappy in-house counsel. Either that, or they couldn't get their executives to listen to them. I suspect the latter is more likely.

Does anyone know if section 2702(a)(3) conveys a private right of action? I sort of suspect that it does, especially given the language in section 2703(e).
5.11.2006 8:41pm
Northerner (mail):
18 U.S.C. 2702 doesn't apply to phone calls, does it? That statute applies only to "electronic communications services," a term that is defined to include "any transfer of signs, signals, writing, images, sounds, data, or intelligence," but NOT "oral communication."
5.11.2006 10:01pm
The Original TS (mail):
Not necessarily. Different chapter.

I've just answered my own question. Section 2707 does indeed provide a private right of action against the phone company with statutory damages of at least $1000/person.

Even better (or worse) Secton 2712 provides a private right of action against the government with statutory damages not less than $10,000 plus you can get attorney's fees.

There's got to be another very big shoe to drop here. 2707 does provide certain defenses. I'm curious which one the telecoms think they are covered under. Something tells me we'll be finding out soon.
5.11.2006 10:34pm
I.I (www):
The defenses:

(e) Defense.— A good faith reliance on—
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703 (f) of this title);
(2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or
(3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of;
is a complete defense to any civil or criminal action brought under this chapter or any other law.


2703(f) applies to preserving evidence against possible loss when a court action is pending, and so does not apply.

2518 (7) requires that the requester be specially designated by an attorney general or principal prosecutor to make the request, which was not the case.

2511 (3) has several parts, but only allows sharing information when:
-the consent of any party to the communication is obtained; or
-the carrier inadvertently observes evidence of apparent crime; or
-sharing the information is necessary in order to enable the communication to take place; or
-when authorized under 2517, which mostly doesn't apply to carriers except to allow them to give testimony under oath.

None of those look to fly very well, except an examination of what the phrase "statutory authorization" really means.
5.11.2006 11:25pm
DryHeat (mail):
First, I seem to have misled folks by using the phrase "wire into the existing one." I didn't mean that literally. I meant "get all the data from the existing one." I am assuming the phone company, not the feds, operates the device.

Second, the idea that cops don't do this on a regular basis because they want real-time access is off the mark. Most pen register data is used in conspiracy cases to make those interesting web-like charts that show who called whom over a period of months or years. The feds even have special software to make those charts. I've never heard of anyone standing over a pen register to get real-time data, and I've worked around them for years.

Finally, this argument is way too scholastic. In reality, the effect of having the phone company pull data from its devices -- data it automatically collects -- and having the phone company install a device to collect the data is the same. If the phone company has that arrangement with the feds, it is collecting the data for two purposes: for maintenance, and for law enforcement. If this cozy arrangement passes muster, then that part of 3121 that is intended to protect folks from pen registers absent a court order is meaningless. Although DG says it's not meaningless at all, it's hard to see what practical effect its pen register restrictions have under this theory.

I think the Bush administration should take this matter to the courts as soon as possible to have this theory tested in the only place that really counts. But I doubt they are in a hurry to do so.
5.11.2006 11:42pm
JunkYardLawDog (mail):
What about this scenario: AT&T, et al legally collect this information as part of their service/billing processes. The government asks, hey would you mind giving us a copy of that info? AT&T says OKay Dokey. The government doesn't need any warrant or legal permission of AT&T isn't compelled to produce the records but just hands them over cause they are patriots who want to help catch terrorists? Wouldn't that be correct? The government would only need a warrant or other authorization to seize the records, wouldn't that be correct?

Now add this thought. AT&T says we as patriots would be happy to help catch terrorists and we would be happy to voluntarily turn over these business records of ours, but if we do so we, AT&T, might violate some law or another and we are concerned about this possible theoretical legal violation. The government replies, no problem we will give you immunity from prosecution if you agree to voluntarily provide us copies of these business records you legally created and have in your possession.

Any laws violated and warrants needed in such a situation as the above?

Asks the "Dog"
5.12.2006 1:44am
Bruce Hayden (mail) (www):
DryHeat,

Why should the Administration take it to court? A lot of those opposed to the first program were suggesting the same then too, and my response there again was to ask why should they do it? They had everything to lose by going to court, and little to gain. And, so, they didn't on the first program, and, I suspect they won't on this second one either.
5.12.2006 1:52am
DG:
I agree with DryHeat to the extent that s/he is suggesting that federal privacy law is a bit absurd. Its biggest deficiency, in my opinion, is that it treats voluntary disclosure of personal information totally differently from compelled disclosure of personal information. Aside from a very few protected types of information (e.g., video rental records, health information, financial information), third party providers are free to disclose whatever they want to whomever they want, including to the government. There doesn't seem to be any reason why a supermarket, for example, couldn't voluntarily hand over the oodles of information it collects about its customers.

That said, it appears that in this case Congress has tried to close the voluntary disclosure loophole by including 18 USC 2702. That's why 3121 isn't meaningless: the phone companies can't voluntarily disclose the dialing information.

(The more I think about it, though, the more I wonder if Northerner's point isn't correct. ECPA Title II was surely intended to deal with data networks rather than telecommunications companies. If a phone company doesn't provide an "electronic communication service" or a "remote computing service," then 2702 doesn't apply. Perhaps USA Today was correct to point to the Communications Act, 47 USC 222, as the most relevant statute.)
5.12.2006 2:05am
DG:
Oops, scratch that last parenthetical musing. The statute applies to providers of "electronic communication service," which is defined as "any service which provides to users thereof the ability to send or receive wire or electronic communications" (18 USC 2510(15)). A phone company surely provides to users the ability to send wire communications.

So we're back to where we were before: 3121 probably doesn't apply, but 2702 might.
5.12.2006 2:22am
logicnazi (mail) (www):
I think DryHeat is right on the mark with the point that a construal which let the government off the hook would totaly negate the meaning of the statute.

Let us leave aside for the moment any statutes which prevent the government from compelling companies to produce records. As I understand it there are still two statutes relevant to this situation.

1) 3121 which prevents the government from installing pen registers.

2) 2707 which prevents the providers from turning over records to the government.

Now if we say that the request of phone call records from the phone company does not count as installing a pen register what is the effect of statute 3121? None as I can see. Nothing would prevent the phone company from refusing either to install the pen register or to hand over the records so we can't construe 3121 as making a distinction between volountary and involountary help. The only meaning left to 3121 on this reading is to require a telecom employee to physically place the equitment on the network and the government to say they are leasing that equitment to the telecom rather than placing it on the wires themselves.

There has been some claims that we could read 3121 as denying the police real time access to phone records. Yet this doesn't seem to fly. The telco is collecting the information for its billing in real time so nothing prevents it from agreeing to transfer the information to the government within 10seconds of its creation. Moreover, had this been the intention of this statute wouldn't one expect to see definitions of real time monitoring and the length of delay one needs to not count as real time monitoring?

On the other hand if we read 3121 as preventing the government from setting up a system to monitor what calls someone is making all the statutes make sense. 2707 is not redundant as it provides a liability and private right of action and provides an alternative check in case the government doesn't feel bound by the laws.

If the government turns out to have only collected phone call logs once to build a background database to compare against or something I grant that this defense against 3121 might be reasonable. On the other hand if they are repeatedly collecting the phone call logs for the same people it seems to require a terribly twisted construction to avoid the conclusion that they are acting illegally.
5.12.2006 3:08am
logicnazi (mail) (www):
By the way does the notion of charging the government or parts of the government with some type of conspiracy if they induced the phone companies to violate the law make sense? Or is there some reason the government or individuals acting under the color of law can't be part of a conspiracy?
5.12.2006 3:10am
Medis:
logicnazi,

Offhand, I don't see why a government agent can't conspire with a private party to break the law.

In another thread, I hypothesized about a government agent conspiring with a private party to assassinate people he suspected of being criminals, but against whom he could not build a criminal case. I'm pretty sure that would be illegal. At least I hope so.
5.12.2006 8:52am
Seamus (mail):
In another thread, I hypothesized about a government agent conspiring with a private party to assassinate people he suspected of being criminals, but against whom he could not build a criminal case. I'm pretty sure that would be illegal. At least I hope so.

Nonsense. If the people were identified as supporters of al-Qaeda or the Iraqi insurgents, the assassination was either implicitly legalized by the Autorization for Use of Military Force Resolution, or falls within the President's authority as commander-in-chief. If our President thinks such a measure is necessary to ensure our safety, objections from the MSM and the ACLU are objectively pro-terrorist.
5.12.2006 10:57am
Seamus (mail):
A lot of those opposed to the first program were suggesting the same then too, and my response there again was to ask why should they do it? They had everything to lose by going to court, and little to gain.

Exactly. If you went to court, the judge might rule against you, depriving you of even the pretense of an excuse of thinking that what you were doing was legal.
5.12.2006 11:03am
RufusLeeKing (mail):
It seems to me Sec. 2709 is a winner. Providing that either 1) the proper FBI designee was involved with the request, as the USA Today story says the FBI was involved as a recipient of the data, or 2) the FBI Director designee is permitted to be someone at the NSA who is considered to be in "a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director". What seems at first glance to require high FBI officials to be the requestor may in fact allow some designation of someone in a different agency who is unambiguously not below that rank of FBI field office director, such as the NSA Director, Asst. Director or such.

But other than the hitch of who was the requestor, the rest of the section is relatively smooth sailing for the government here, it seems to me.

Title 18, Sec. 2709 - Cornell

[Anyone have a link to a more recent version than Cornell's of 8/3/05?]

Some would say the requirement that the "records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities" would preclude such a blind data mining. But look again. It is a certification that this is the case that triggers the power of the acquisition. The requestor could be liable for intentional misrepresentation if applicable, but the ultimate facts don't hinder the acquisition process, absent a ruling otherwise.

And I see the data mining of all records in the US as quite relevant to an investigation to prevent international terrorism.

We are searching here for perhaps hundreds or thousands of hidden sleeper cells and enemy soldiers in a haystack of phone numbers, requirng the most exhaustive database available.

And this blind mining goes to the second requirement that "such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States". Because each number is acquired en masse, completely impartially to its associated speech content, the basis the acquisition is conducted upon is assured to be speech neutral.
5.13.2006 11:32pm
RufusLeeKing (mail):
At first glance, the Pen Register statute only prohibits government pen registers and explicitly allows the gathering of that data by the electronic service provider pursuant to the "operation" of its service.

So phone call records normally kept by a phone company would not be banned from being obtained thereby by the phone company.

And then 18 USC 2709 allows the government to acquire them with its certification letter by the FBI designee.

And FISA Sec. 1809(a) exempts its restrictions when the surveillance is authorized by statute, as 18 USC 2709 would seem to do.
5.14.2006 1:49am