The USA Today has an important scoop today on a previously secret NSA surveillance program. Assuming the program was described accurately in the USA Today story, is this program legal? Here is a very preliminary run down of the issues. It’s not as complete as I would like, and it’s not something I have thought about as much as I would like before posting. But my grades are due very soon, and unfortunately I can’t spend as much time on this as I would normally like to spend. I hope this post is at least a helpful start.
The legality of the program touches on at least five laws: the Fourth Amendment, the Pen Register statute, the Stored Communications Act, FISA, and the Communications Act.
1) The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn’t implicate the Fourth Amendment under Smith v. Maryland.
2) The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute “electronic surveillance” under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA’s definition of “electronic surveillance” goes beyond accessing only content information and extends to some non-content information. If the program did involve “electronic surveillance” under FISA, then we’re right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that’s right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.
3) The next question is, did the monitoring violate the Pen Register statute, and in particular the prohibition of 18 U.S.C. 3121? To boil down a complex area of law into a sentence, federal surveillance law calls any means of surveilling non-content telephone or Internet information a “pen register” or “trap and trace device.” Section 3121 then bans using such a device unless the government has a court order (either through the criminal investigative authorities or national security law authorities) or an exception to the statute applies. The exceptions in the statute don’t seem applicable here: They mostly involve monitoring to provide better service for the telephone company.
The USA Today story suggests that Qwest wanted the government to obtain a court order for the monitoring, and that the government refused because they concluded that the FISA court might not grant the order. The court order they are referring to is probably the FISA pen register order. Under 50 U.S.C. 1842, the Attorney General or his designate needs to approve the request for such an order, and must certify “that the information likely to be obtained . . . is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.” The order would then need to be renewed every 90 days under 50 U.S.C. 1842(f).
The legal threshold for a FISA pen register order is low: relevance to an ongoing investigation is a pretty easy standard to satisfy. At the same time, obtaining an order for this kind of monitoring would raise an issue that I have wondered about but I don’t think I know how to answer: Does FISA’s pen/trap authority in 50 U.S.C. 1842 permit the government to conduct massive-scale monitoring, or must monitoring be limited to a specific set of persons or accounts? When the USA Today story says that the government didn’t think the order would be granted by the FISA court, I gather they are saying that the FISA court judges didn’t think the FISA pen/trap authority permitted such massive scale monitoring. That sounds like a sensible conclusion: I would guess that the FISA judges wouldn’t interpret the FSIA pen/trap authority as permitting such massive scale monitoring (in that it trumps the need for any individual orders, which would be odd).
4) The next possible statute is the Stored Communications Act (SCA), and in particular the prohibition on disclosing records relating to wire communications to a government entity found in 18 U.S.C. 2702(a)(3). It’s not clear to me that the SCA applies: the SCA was designed to deal with one-time disclosure of stored communications and records, not real-time collection and repeated disclosure. At the same time, the statute doesn’t have an explicit exception for real time collection, so it’s at least plausible that it does apply. If it applies, disclosure is permitted only if an exception to the statute covers this. I don’t think that any of the exceptions apply, though: the emergency exception of 18 U.S.C. 2702(c)(4) seens to be the closest, but this doesn’t sound like there was an “immediate danger” here. This was an ongoing program, not a program responding to a sudden emergency.
5) A fifth possible statute, and one mentioned in the USA Today story, is the Communications Act of 1934, 47 U.S.C. 222. I have generally thought that the statutes discussed above trump this statute, but the USA Today story mentions it. In any event, I don’t know much about this one, as it’s a telecom statute and I don’t normally play in that sandbox. So I’ll punt on this one for now.
To summarize, my very preliminary sense is that there are no Fourth Amendment issues here but a number of statutory problems under statutes such as FISA and the pen register statute. Of course, all of the statutory questions are subject to the possible argument that Article II trumps those statutes. As I have mentioned before, I don’t see the support for the strong Article II argument in existing caselaw, but there is a good chance that the Administration’s legal argument in support of the new law will rely on it.
(cross posted at The Volokh Conspiracy)
How about the First Amendment via NAACP v. Alabama? It seems like the express purpose of this behavior is to scrutinize the associational affiliations of every American, and the database could easily be used to snoop on who is a member of any disfavored advocacy organization. Chilling effect?
Here’s another question. Is the NSA going through USA Today reporter Leslie Cauley’s telephone records right now to find out which NSA staffer called her? Does that violate the First Amendment?
Pingback: ACSBlog: The Blog of the American Constitution Society
Pingback: Forevervain · The other shoe drops.
More practically, is there a private right of action under any of the statues you think might be problematic? Is there such a thing as a section 1983 class action?
Two points:
1. Orin, you are right that the Smith case would seem to allow this type of surveillance under the Fourth Amendment, but Smith says nothing about content vs. non-content communications. Smith says ALL records held by third parties fall outside the Fourth Amendment’s protections. The content/non-content and records/communications distinctions are primarily statutory. (Katz v. United States protects phone coversations from search but does not explicitly draw either distinction)
[OK Comments: Lawspy, I wrote an amicus brief on this question: read it here.]
2. Given the above, phone numbers are just the tip of the iceberg of what government could collect without a warrant. They could (and may in fact currently) collect from every American the internet addresses of websites they have visited, non-content email traffic, records of their GPS locations obtained from cell phones, etc. . . all without a warrant. Smith laid down a pretty permissive boundary for government searches. I’m not sure its holding is one that can or should last.
Pingback: Info/Law » Can a Focus on al Qaeda Yield Billions of Phone Records?
Pingback: Schneier on Security
I really don’t see your argument as to why the SCA might apply. Help me out here.
Section 2702(a)(3) states: “[1] a provider of remote computing service or electronic communication service to the public [2] shall not knowingly divulge [3] a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) [4] to any governmental entity.”
[1] an “electronic communications service” is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 USC 2510(15). A phone company fits this definition.
[2] there doesn’t seem to be much dispute about the “knowingly” requirement.
[3] records of calls that are made fit within the meaning of a “record or other information pertaining to a subscriber to or customer of such service.”
[4] the NSA is a “governmental entity.”
Is the argument that real-time monitoring doesn’t fit within the definition of “record”? Seems like a stretch, not that we even know this involved real-time monitoring, from what I read.
Certainly, I think it’s got to be either a pen register or a stored communication. It’s hard to see how there is any room left between the two.
Pingback: The Debate Link
[The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn’t implicate the Fourth Amendment under Smith v. Maryland.]
I’m not a lawyer but it would seem to me that the data of one’s pattern of calling is ‘content’ and therefore subject to the search and seizure requirements of the 4th amendment.
[oK Comments: I can see why you would imagine that, but the law is different.]
Pingback: Information Systems Grad School
Prof. Kerr,
Thanks for posting this — it’s a great help to those of us with little familiarity with these areas of law. Always much appreciated.
Ted: Section 1983 wouldn’t apply, because this is an action taken under color of federal law, not state law. A Bivens claim might be possible, but I am no expert there.
Massive traffic analysis can in some instances provide more useful information than content monitoring, and much more efficiently. They aren’t using this to keep track of terrorists, they’re using it to identify previously unknown terrorists based on call patterns.
Two questions: How massive does traffic analysis have to be before it amounts to content monitoring? I would guess that it would be a very simple thing for someone with access to this data to be able to reliably predict which of the millions of people being monitored is having an affair, for instance. Or even determine what TV shows they watch. If cell phone records were included was geo location information included as well?
Secondly, since the purpose of this was to identify terrorists, isn’t it likely that such information was used to determine who to conduct content monitoring on? Now since the evidence of why they need content monitoring on a specific person was obtained without a FISA warrant, I doubt they are going to go in front of the FISA court and ask for the warrant. The problem with this is that there are going to be false positives and I would guess that warrantless content monitoring has been conducted against thousands of innocent citizens (maybe we’re merely taxpayers now) of this country.
Pingback: michaelzimmer.org » Archives » NSA Collecting Data on All Our Phone Calls
Pingback: The Shout » NSA surveillance database
Pingback: The Shout » NSA Surveillance Legality
Professor Kerr, thank you for the great analysis.
My initial take on this was also that the SCA probably doesn’t apply because the data is being collected real-time or near real-time. However, as I thought more about, the NSA probably took an initial data dump from the telcos to populate their database. Subsequently they added to the database as new data came in.
The initial data dump would then violate the SCA. My explanations are in the comments of my original post here and here.
I would love to hear your feedback when you have time. Thanks.
Pingback: The American Mind
Pingback: Or How I Learned to Stop Worrying » The Effects Of Drinking Too Much Kool-Aid
Mr. Kerr, thank you for your thoughtful analyses of these NSA programs. You’ve been one of the clearer voices through these various revelations.
I’m replying because I am concerned that the 4th amendment is dismissed too easily here. I know the phone company knows what numbers I dialed, and they might turn that information over to the police, but until last week I expected that that this usually wouldn’t happen. Usually the government wouldn’t examine this information, unless I was suspected of a crime. Should I have a “reasonable expectation” that every third party that I share information with is always disclosing all of that data to the government every time I share it with them? This doesn’t seem like the sort of world the Constitution envisions.
It seems like this is a little bit different than the circumstances in Smith V. Maryland. In that case a criminal should have known that the phone company might disclose his calling patterns, and so he should have been careful about who he calls. But if you aren’t engaged in a criminal enterprise, should you still have an expectation that the government knows who you are calling and you might want to be careful about who you call? It seems that the breadth of the data collection can eventually reach a point where it is “unreasonable” with respect to the fourth amendment because it has no relationship to any suspicion of wrong doing, and they are simply collecting everything they can get their hands on.
[OK Comments: It would be interesting if the Fourth Amendment followed such principles. However, under current law I think it's quite clear that non-content information isn't covered. The really hard question is when is *content* information covered given how modern communications technologies work.]