Civil Liability and the NSA Call Records Program:
Some bloggers are trying to figure out the potential civil liability of the telephone companies if they violated the Stored Communications Act by disclosing call records to the NSA without a court order. I would guess that a lawsuit has been filed already, and if it hasn't a bunch are coming soon. If a court finds that the telephone companies violated the Stored Communications Act, will they face liability in the range of billions of dollars?
I have two quick thoughts for those that want to look into this in more detail. First, be sure that you consider the good faith exception to liability under the statute, 18 U.S.C. 2707(e):
Second, from a practical perspective it's worth asking how far a suit would go given that the Administration would presumably try to stop the suit by invoking the military and state secrets doctrine (.pdf), as they did recently in a suit over telco involvement in the 1st NSA program. It's unclear how those claims will pan out -- either in the EFF case or in one filed against the telephone companies for this program -- but they are at least a significant roadblock to an attempt to recover damages against the telephone companies for the disclosure.
(cross posted at OrinKerr.com)
I have two quick thoughts for those that want to look into this in more detail. First, be sure that you consider the good faith exception to liability under the statute, 18 U.S.C. 2707(e):
A good faith reliance on—The language here is really unclear as a textual matter, but there are some cases on what it means in the analogous context of the Wiretap Act. When I looked into this when I was writing the DOJ manual, I found a big difference between how courts interpreted the exception in the context of government vs. civil action:
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703 (f) of this title);
(2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or
(3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of;
is a complete defense to any civil or criminal action brought under this chapter or any other law.
The relatively few cases interpreting the good-faith defense are notably erratic. In general, however, the courts have permitted law enforcement officers to rely on the good-faith defense when they make honest mistakes in the course of their official duties. See, e.g., Kilgore v. Mitchell, 623 F.2d 631, 633 (9th Cir. 1980) ("Officials charged with violation of Title III may invoke the defense of good faith under § 2520 if they can demonstrate: (1) that they had a subjective good faith belief that they were acting in compliance with the statute; and (2) that this belief was itself reasonable."); Hallinan v. Mitchell, 418 F. Supp. 1056, 1057 (N.D. Cal. 1976) (good-faith exception protects Attorney General from civil suit after Supreme Court rejects Attorney General's interpretation of Title III). In contrast, the courts have not permitted private parties to rely on good-faith "mistake of law" defenses in civil wiretapping cases. See, e. g., Williams v. Poulos, 11 F.3d 271, 285 (1st Cir. 1993); Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991).I'd need to re-read those cases to get better up to speed on this, but it's not obvious to me whether a court would see this as a government good-faith case or a civil good-faith case. It's kind of a mix.
Second, from a practical perspective it's worth asking how far a suit would go given that the Administration would presumably try to stop the suit by invoking the military and state secrets doctrine (.pdf), as they did recently in a suit over telco involvement in the 1st NSA program. It's unclear how those claims will pan out -- either in the EFF case or in one filed against the telephone companies for this program -- but they are at least a significant roadblock to an attempt to recover damages against the telephone companies for the disclosure.
(cross posted at OrinKerr.com)
Related Posts (on one page):
- Falkenrath on the NSA Call Records Program:
- Civil Liability and the NSA Call Records Program:
- More Thoughts on the Legality of the NSA Call Records Program:
- Thoughts on the Legality of the Latest NSA Program:
Administration claims of secrecy go even farther than the stonewalling attempts in the EFF suit. I read one of the more Kafkaesque sentences I've seen recently in an AP story yesterday:
Laugh or cry?
Based on the prior analyses of the statute, I'm not sure how anybody can assert a good faith defense here. Let's assume the government standard applies; how could the government argue that they believed in good faith they were complying with the statute, particularly when they declined requests to get a FISA warrant, etc.?
Second, it appears to me that the most likely possible defense (18 USC 2511(2)(a)(ii)(B)) effectively shifts the liability from the telecoms to the government -- and the government is on the hook for $10,000 per person.
I think you dismissed 18 U.S.C. 2702(c)(3) too easily in a prior post.
Would it not be in the interest of the provider to assist the government in finding terrorists? After all, their customers, employees and infrastructure would be in the target pool. I suspect that all the 9/11 victims had phone service, some were employed by telcos and there was definitely extensive damage to telecommunications infrastructure.
Also, is it farfetched for the provider to assume that failure to provide data which could prevent an attack could lead to civil liability in the aftermath of an attack?
Courts have rejected your theory, actually. Se ethe DOJ manual for an introduction to some of the cases.
In this case, the govt is not requesting the "records" of any specific customer, but rather is requesting access to the all the records of the phone company for network analysis of traffic flows and connections.
The "business records" of the business as opposed to the "personal records" of the customer.
It seems as if it would be somewhat similar to individual hospitals and doctors disclosing to local govt health depts. numbers and types of infections of the patients they treat, how many times and how the individuals are treated - not identified by individual and neutralized of personal information, as opposed to turning over the individual's medical records and treatment dates themselves.
The phone records are not statistical compilations, they're records of individual calls. Since the records identify the phone number from which a call originated and the phone number called, it is trivial to associate each record with an individual customer. Indeed, it must be so -- otherwise the records would be useless to the government.
Can you explain what your expectations of confidentiality are with respect to your phone calls and e-mails, content and noncontent?
The fuss today is about calling records, not intercepted calls. The same calling records the phone companies regularly mine in order to try to sell me "... a plan suited to [my] needs and habits". The phone solicitor has my records at his/her fingertips. I should expect the government to be any different?
If you want privacy, you're not gonna get it on the phone. Nor through the mail, and certainly not on the internet.
So just to be clear, if you found out that the Mafia had hired thugs to wiretap your phone and break into your e-mail account and read your e-mail, you would say that was no big deal? After all, you can't expect privacy in phone calls or e-mails.
§ 2709. Counterintelligence access to telephone toll and transactional records
(a) Duty to provide.--A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section. (etc.)
This is nothing more than a pen register &the US Supremes have already held there is no expectation of privacy in these sorts of data. This is has been done since at least the 30's. Traffic analysis is one way the Mafia was mapped out and tracked.
Under 2709, Telcos have to cooperate if the FBI gives them a national security letter. The FBI was not involved here, and no one had a national security letter (nor could they get one). So 2709 doesn't apply.
Of course the health data I referred is not quite a statistical compilation either. It would be more difficult, but not impossible, to identify individual patients if necessary.
Not so, or at least not necessarily so. It seems to me there are three stages to the process as it would be used.
1. NSA gets the raw data business records, billing records but not identifying any specific customer by name or address, from the phone company and loads it into a computer. That computer then "analyzes" the relationships among the various telephone numbers into a relationship database that includes international telephone numbers.
2. Upon some stimulus, say for example, an international number known to be terrorist linked that is already possessed, or, a new number is acquired that is terrorist linked, are input into the database for relationships and telephone numbers they called, and the ones those called, are identified.
3. The individual customers are now identified, emergency content monitoring pursuant to the FISA emergency exemption takes place, or, a FISA warrant is obtained.
The numbers have been useful, in the absence of specific customer information, to identify those customers who need to be identified.
Regardless of what the government necessarily needs, the actual fact is that it is trivial to identify the registered owner of a telephone number. There are online services that provide telephone number to customer name and address mappings for free, for charge, and probably in bulk. Since the government would likely not permit the parties to subpoena the NSA to find out how the NSA actually uses this information, the triviality of identifying telco customers implicates the telephone companies.
You bring up and excellent point. You can go to various websites (superpages.com for instance) and type in someone's info and possibly get a name, address, and phone number. With that being said, doesn't that make that kind of information publicly available? I'm not a lawyer, but wouldn't that be kind of like evidence in someone's trash can (outside the house)?
I guess the hard part would be the fact that you didn't physcially "throw away" your info so the world could read it, but wouldn't it be treated the same way?
Therefore, the NSA wouldn't need to subpoena any company for contact info, since it's already publicly available, right?
Anonymous Reader
These are interesting statutes because they punish efficient "breach".
Or am I wrong and "de minimis" always applies, even if a statute does not mention it?
One reason that they might want telco subscriber information is that some of the stuff that you get on the Internet is accurate, but much is not. For example, I delisted my home phone maybe four years ago. When I was moving around the country, I left it at a residence here, and then forwarded it wherever I was living at the time. It never even went into the house there, because on the rare occasions I needed to change parameters, I would just go out and plug a phone into the demarcation box. Nevertheless, that address is still showing up connected to that phone number, and I still get a lot of advertisements about getting second mortgages for that house (which I never owned).
It is clear though that Qwest is selling current information, because every once in awhile there will be some indication that someone has tied the phone to its physical location, and the only place that can come from is Qwest. The phone number has been unlisted and unpublished since it moved.
That said, I stand by the fact that what the gov't is doing is nothing more than traffic analysis, which has been held constitutional since the 30's. The data acquired is the electronic equivelent of a pen register & the Supremes have held there is no reasonable expectation of privacy there.
This sort of analysis was developed during WWI. If you want a fascinating view of how it is done, read David Kahn's "The Codebreakers" & see how much the Navy was able to learn about Japanese ship movements without actually being able to read their traffic. The FBI used the same techniques to map out the Mafia in the 50's and still uses it against the drug smugglers. Heck, I can learn much about my children just looking at the cell phone bill (I have teenagers).
What is happening here is that a lot of people are assuming what they wish the law to be is in fact what the law actually is. The Feds can look at your bank records without a warrant. The Feds and the states can look at your medical records without a warrant. In either case they don't have to tell you & they usually don't. That drives me nuts & it is plain wrong in my view. But the courts say it's OK.
SMITH v. MARYLAND, 442 U.S. 735 (1979)
[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must “convey” phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. . . .
[E]ven if [a caller] did harbor some subjective expectation that the phone numbers he dialed would remain private, this expectation is not “one that society is prepared to recognize as ‘reasonable.’” . . . This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. . . . [W]hen [a caller] used his phone, [he] voluntarily conveyed numerical information to the telephone company and “exposed” that information to its equipment in the ordinary course of business. In so doing, [the caller] assumed the risk that the company would reveal to police the numbers he dialed.
Well, this is true, nobody is arguing that what the NSA is doing is unconstitutional, just illegal. When the Supreme Court decided that a pen registers were not covered by the fourth amendment the Congress passed laws to protect that information. That is why, according to USA Today, Qwest refused to cooperate with the program. They demanded a court order before they would turn over the information. The NSA apparently acted like a bunch of mafia bagmen running a protection racket threatening to cut off government contracts if Qwest didn't cooperate and saying in effect: "Badges, we don't need no stinking badges." (I realize I am mixing my metaphors and/or movie allusions between mob and spaghetti westerns)
As noted in an earlier post, Smith v. Maryland was effectively overruled by the Stored Communication Act. It's the way our system works. If the Supreme Court says something is not prohibited by the constitution the Congress can still pass laws that makes that makes the act illegal. And the Stored Communication Act did just that, made the acts that the Supreme Court found constitutional in Smith v. Maryland illegal.
Circa 1995, the FCC legislation demanded co-operation with local, state and federal law inforcement, by the telecommunication company's.
The objective of CALEA's implementation is to preserve law inforcement's ability to conduct "lawfully authorized" electronic surveillance, while preserving public safety and the publics right to privacy.
Data basing every phone call, to and from every telephone ever made in America, since even 9/11, must be a tremendous effort, and a rather huge expense to the government, which technically is you and I. And personally, I can't afford the share of my liability for this expenditure. Especially since the money has to be borrowed from China.
Links to faq's about CALEA can be found here:
http://www.askcalea.net/faqs.html
I think you are quite correct to say, "nobody is arguing that what the NSA is doing is unconstitutional, just illegal. When the Supreme Court decided that a pen registers were not covered by the fourth amendment the Congress passed laws to protect that information."
But it goes too far to say the the Stored Communications Act "effectively overruled" Smith v. Maryland, which as you note was interpreting the Fourth Amendment.
Link found on SlashDot.
My, what an imagination you have! Of course I'd be concerned if I found out that the "Mafia" had hired "thugs" to wiretap my phone and break into my email. Granted, the "Mafia" is not known for great intellects, but anyone stupid enough to hire "thugs" to do a job more easily accomplished by a 14 y/o hacker or with a bird watchers parabolic microphone is surely a cause for concern. And I consider the "Mafia" less of a threat to my safety, security and freedom than our Government. If I found out that someone walked in off the street to the office of my phone company or ISP, and asked about my information, and the company had provided it, I might be concerned. But I'd have no cause for action. No one has promised me security or privacy. Absent a specific contractual clause, these records are theirs to do with as they please.
Data packets are feathers in the wind. They can't be recovered.
Out of curiosity, just where in your life do you think you have privacy? Medical records? Banking records? Nope. They even put security cameras in rest rooms nowadays!
Suppose, for example, a group of people who haven't contacted each other in years, and suddenly they begin calling and emailing and planning a trip to D.C.
Wouldn't it be likely, using this storage data base, that a computer program would flag this 'social networking' as a possible terrorist cell, when in actuality it's only a group of Vietnam vets planning a reunion at the Vietnam Memorial?