Thoughts on the Legality of the Latest NSA Program: Assuming that the newly-disclosed NSA surveillance program was described accurately in the USA Today story, is this program legal? Here is a very preliminary run down of the issues. It's not as complete as I would like, and it's not something I have thought about as much as I would like before posting. But my grades are due very soon, and unfortunately I can't spend as much time on this as I would normally like to spend. I hope this post is at least a helpful start.

  The legality of the program touches on at least five laws: the Fourth Amendment, the Pen Register statute, the Stored Communications Act, FISA, and the Communications Act.

  1) The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn't implicate the Fourth Amendment under Smith v. Maryland.

  2) The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute "electronic surveillance" under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA's definition of "electronic surveillance" goes beyond accessing only content information and extends to some non-content information. If the program did involve "electronic surveillance" under FISA, then we're right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that's right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.

  3) The next question is, did the monitoring violate the Pen Register statute, and in particular the prohibition of 18 U.S.C. 3121? To boil down a complex area of law into a sentence, federal surveillance law calls any means of surveilling non-content telephone or Internet information a "pen register" or "trap and trace device." Section 3121 then bans using such a device unless the government has a court order (either through the criminal investigative authorities or national security law authorities) or an exception to the statute applies. The exceptions in the statute don't seem applicable here: They mostly involve monitoring to provide better service for the telephone company.

  The USA Today story suggests that Qwest wanted the government to obtain a court order for the monitoring, and that the government refused because they concluded that the FISA court might not grant the order. The court order they are referring to is probably the FISA pen register order. Under 50 U.S.C. 1842, the Attorney General or his designate needs to approve the request for such an order, and must certify "that the information likely to be obtained . . . is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution." The order would then need to be renewed every 90 days under 50 U.S.C. 1842(f).

  The legal threshold for a FISA pen register order is low: relevance to an ongoing investigation is a pretty easy standard to satisfy. At the same time, obtaining an order for this kind of monitoring would raise an issue that I have wondered about but I don't think I know how to answer: Does FISA's pen/trap authority in 50 U.S.C. 1842 permit the government to conduct massive-scale monitoring, or must monitoring be limited to a specific set of persons or accounts? When the USA Today story says that the government didn't think the order would be granted by the FISA court, I gather they are saying that the FISA court judges didn't think the FISA pen/trap authority permitted such massive scale monitoring. That sounds like a sensible conclusion: I would guess that the FISA judges wouldn't interpret the FSIA pen/trap authority as permitting such massive scale monitoring (in that it trumps the need for any individual orders, which would be odd).

  4) The next possible statute is the Stored Communications Act (SCA), and in particular the prohibition on disclosing records relating to wire communications to a government entity found in 18 U.S.C. 2702(a)(3). It's not clear to me that the SCA applies: the SCA was designed to deal with one-time disclosure of stored communications and records, not real-time collection and repeated disclosure. At the same time, the statute doesn't have an explicit exception for real time collection, so it's at least plausible that it does apply. If it applies, disclosure is permitted only if an exception to the statute covers this. I don't think that any of the exceptions apply, though: the emergency exception of 18 U.S.C. 2702(c)(4) seens to be the closest, but this doesn't sound like there was an "immediate danger" here. This was an ongoing program, not a program responding to a sudden emergency.

  5) A fifth possible statute, and one mentioned in the USA Today story, is the Communications Act of 1934, 47 U.S.C. 222. I have generally thought that the statutes discussed above trump this statute, but the USA Today story mentions it. In any event, I don't know much about this one, as it's a telecom statute and I don't normally play in that sandbox. So I'll punt on this one for now.

  To summarize, my very preliminary sense is that there are no Fourth Amendment issues here but a number of statutory problems under statutes such as FISA and the pen register statute. Of course, all of the statutory questions are subject to the possible argument that Article II trumps those statutes. As I have mentioned before, I don't see the support for the strong Article II argument in existing caselaw, but there is a good chance that the Administration's legal argument in support of the new law will rely on it.

  (cross posted at
More Thoughts on the Legality of the NSA Call Records Program: We now have a slightly better idea of the factual and legal issues surrounding the newly-disclosed NSA Call Records program, and I thought I would offer a second analysis that is more focused and more factually informed than the one I posted this morning. My still-very-tentative bottom line: The companies were probably violating the Stored Communications Act by disclosing the records to the NSA before the Patriot Act renewal in March 2006, although the new language in the Patriot Act renewal at least arguably made it more likely that the disclosure was legal under the emergency exception.

  First, let's update the facts. It now looks relatively clear that the NSA was not directing the telephone companies to conduct any particular monitoring on the NSA's behalf. Rather, NSA officials were persuading the telephone companies to voluntarily disclose their call records to the government. In other words, the government wasn't actually doing the monitoring, but instead was encouraging the telephone companies to disclose call records to them that the telephone companies already had collected.

  In light of those apparent facts, the key issue to me becomes whether the disclosures were permitted under the Stored Communications Act, and specificially 18 U.S.C. 2702. (For a "user's guide" to the Stored Communications Act, see here). Telephone companies are providers of "electronic communications service to the public" under the Act, and the Act regulates when providers can disclose non-content records of account information to the government. The ban is in Section 2702(a)(3):
[A] provider of . . . electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications . . . ) to any governmental entity.
Of the possible exceptions to the statute, three are most likely to be relevant. They permit disclosure under the circumstances listed in 18 U.S.C. 2702(c), as amended by the Patriot Act renewal of 2006:
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency[.]
(Note that the link to the Cornell site's text of 2702 does not have the latest version of the exceptions, as it was last updated in the fall of 2005 and the exceptions were amended in March 2006. I was unable to find the new version on a website, and ended up taking it from Westlaw.).

  Let's take each of these exceptions in turn.

  (1) The first exception permits disclosure if the subscriber consents. There are no cases interpreting eactly what consent means in 2702(c)(2), but like many of the exceptions in the SCA it is clearly a copy of an analogous exception in the close cousin of the SCA, the federal Wiretap Act, 18 U.S.C. 2510-22. We do have lots of cases on what consent means in the context of the Wiretap Act, so those cases presumably create the applicable standard here. The basic rule: Consent means that the user actually agreed to the action, either explicitly or implicitly based on the user's decision to proceed in light of actual notice. Here's what the First Circuit said on this in United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 1995):
Keeping in mind that implied consent is not constructive consent but 'consent in fact,' consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance from surrounding circumstances that the party knowingly agreed to the surveillance. We emphasize that consent should not casually be inferred, particularly in a case of deficient notice. The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.
  Did users consent to the disclosure under this standard? The Washington Post reports that government lawyers seemed to think so, based on small print in the Terms of Service of the telephone service customer agreements:
One government lawyer who has participated in negotiations with telecommunications providers said the Bush administration has argued that a company can turn over its entire database of customer records — and even the stored content of calls and e-mails — because customers "have consented to that" when they establish accounts. The fine print of many telephone and Internet service contracts includes catchall provisions, the lawyer said, authorizing the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request. . . . Verizon's customer agreement, for example, acknowledges the company's 'duty under federal law to protect the confidentiality of information about the quantity, technical configuration, type, destination, and amount of your use of our service,' but it provides for exceptions to 'protect the safety of customers, employees or property.' Verizon will disclose confidential records, it says, "as required by law, legal process, or exigent circumstances."
  This seems like a very unpersuasive argument in light of the cases construing consent under the Wiretap Act, of which the consent provision in the SCA is a mirror. It reminds me of the argument that a DOJ lawyer once tried to make that monitoring prison phones was allowed because language in the Code of Federal Regulations clearly notified prisoners that their phones would be monitored. According to the lawyer, the notice in the fine print of the CFR was sufficient to make the monitoring consensual. Judge Posner rejected the argument, calling it "the kind of argument that makes lawyers figures of fun to the lay community." United States v. Daniels, 902 F.2d 1238 (7th Cir. 1990). In light of these cases, I think the consent argument is weak. (Incidentally, if you look up Daniels, note that Posner incorrectly states later in the opinion that the Second Circuit accepted such a weak notice argument. If you read the Second Circuit case, it is clear that the CA2 did no such thing and that Posner was just being sloppy.)

  (2) The next possible exception is disclosure "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service." This is known as the provider exception, and is also a copy of an analogous exception from the Wiretap Act, 18 U.S.C. 2511(2)(a)(i). You can read all about this exception here: basically, it gives providers rights to disclose information to the government to help the providers combat illegal service and unauthorized use of the network. It seems pretty clear that this doesn't apply: The cases make clear that the provider exception exists to further provider interests, not government interests.

  (3) The third and final exception is the emergency exception, which permits providers to disclose "if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency." At the outset, it's worth noticing something very interesting about this language: It is almost brand spanking new. The language that passed as part of the Patriot Act in 2001 allowed disclosure only when "the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don't know of a reason to think that they had a reasonable belief of "immediate" danger. If this was a program ongoing for several years, then it's hard to say that there was a continuing reasonable belief of immediate danger over that entire time.

  As noted above, though, the Patriot Act renewal passed in March 2006 changed this language. And it did so in a way with potentially important implications for the legality of the NSA call records program. The new exception states that disclosure is permitted "if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency." Few people were paying attention to this change at the time, but I would guess that it was very important to the telephone companies: The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an "immediate" danger. I wouldn't be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program. (Or perhaps not, come to think of it: Does the new language suggest that the information disclosed needs to relate to the emergency to be covered? What if the provider doesn't know what information relates to the emergency?)

   More tomorrow, I hope.

  (cross posted at
Civil Liability and the NSA Call Records Program: Some bloggers are trying to figure out the potential civil liability of the telephone companies if they violated the Stored Communications Act by disclosing call records to the NSA without a court order. I would guess that a lawsuit has been filed already, and if it hasn't a bunch are coming soon. If a court finds that the telephone companies violated the Stored Communications Act, will they face liability in the range of billions of dollars?

  I have two quick thoughts for those that want to look into this in more detail. First, be sure that you consider the good faith exception to liability under the statute, 18 U.S.C. 2707(e):
A good faith reliance on—
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703 (f) of this title);
(2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or
(3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of;
is a complete defense to any civil or criminal action brought under this chapter or any other law.
  The language here is really unclear as a textual matter, but there are some cases on what it means in the analogous context of the Wiretap Act. When I looked into this when I was writing the DOJ manual, I found a big difference between how courts interpreted the exception in the context of government vs. civil action:
The relatively few cases interpreting the good-faith defense are notably erratic. In general, however, the courts have permitted law enforcement officers to rely on the good-faith defense when they make honest mistakes in the course of their official duties. See, e.g., Kilgore v. Mitchell, 623 F.2d 631, 633 (9th Cir. 1980) ("Officials charged with violation of Title III may invoke the defense of good faith under § 2520 if they can demonstrate: (1) that they had a subjective good faith belief that they were acting in compliance with the statute; and (2) that this belief was itself reasonable."); Hallinan v. Mitchell, 418 F. Supp. 1056, 1057 (N.D. Cal. 1976) (good-faith exception protects Attorney General from civil suit after Supreme Court rejects Attorney General's interpretation of Title III). In contrast, the courts have not permitted private parties to rely on good-faith "mistake of law" defenses in civil wiretapping cases. See, e. g., Williams v. Poulos, 11 F.3d 271, 285 (1st Cir. 1993); Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991).
  I'd need to re-read those cases to get better up to speed on this, but it's not obvious to me whether a court would see this as a government good-faith case or a civil good-faith case. It's kind of a mix.

  Second, from a practical perspective it's worth asking how far a suit would go given that the Administration would presumably try to stop the suit by invoking the military and state secrets doctrine (.pdf), as they did recently in a suit over telco involvement in the 1st NSA program. It's unclear how those claims will pan out -- either in the EFF case or in one filed against the telephone companies for this program -- but they are at least a significant roadblock to an attempt to recover damages against the telephone companies for the disclosure.

  (cross posted at
Falkenrath on the NSA Call Records Program: In today's Washington Post, Richard Falkenrath defends the NSA call records program. He has this discussion of its legality:
  There are, of course, strict legal limits on the ability of federal agencies such as the NSA to compel the provision of domestic information or to collect it secretly. The USA Today story, however, alleges that three telecommunications companies — AT&T, Verizon and BellSouth — provided it voluntarily. How else could one company (Qwest) decline to provide the information? Since there is no prohibition against federal agencies receiving voluntarily provided business records relating to their responsibilities, it appears that the NSA's alleged receipt and retention of such information is perfectly legal.
  The three companies reported to have supplied telephone records to the NSA also appear to be acting lawfully. The Telecommunications Act of 1934, as amended, generally prohibits the release of "individually identifiable customer proprietary network information" except under force of law or with the approval of the customer. But, according to USA Today, the telephone records voluntarily provided to the NSA had been anonymized. In addition, the Electronic Communications Privacy Act of 1986 explicitly permits telecommunications companies to provide customer records to the government if the government asks for them. So it would appear that the companies have been acting not just in the public interest, but also within the law and without encroaching on the privacy of any of their customers.
  Three quick thoughts in response, taking these points in turn:

  1. I think it's right that the NSA did not act unlawfully by receiving and retaining the records. It may be a different picture if, as some stories have reported, the NSA was doing more than just receiving and retaining. But receiving and retaining alone doesn't violate the law. If that's all the NSA did, the issue is the liability of the phone companies, not the liability of the NSA.

  2. I don't know much about the Communications Act of 1934, so I can't speak to this issue. Can others fill us in on whether this argument is correct? (Preferably with actual legal support rather than mere conclusions.)

  3. Falkenrath is just wrong about ECPA. He states that "the Electronic Communications Privacy Act of 1986 explicitly permits telecommunications companies to provide customer records to the government if the government asks for them." No, it doesn't. There is no "government request" exception to the ban on disclosure.

  I gather the exception Falkenrath has in mind is 18 U.S.C. 2702(c)(1), which allows disclosure if the government has a valid court order or subpoena under 18 U.S.C. 2703. But that exception only applies when the government is compelling the disclosure with a valid court order or subpoena. (There is also a curious exception allowing the government to get the names and phone numbers of suspected telemarketers in telemarketing fraud cases, but that's obviously inapplicable here.) News reports indicate that the government did not have a court order or subpoena or other legal order. Given that, the exception does not apply.