The USA Today has an important scoop today on a previously secret NSA surveillance program. Assuming the program was described accurately in the USA Today story, is this program legal? Here is a very preliminary run down of the issues. It’s not as complete as I would like, and it’s not something I have thought about as much as I would like before posting. But my grades are due very soon, and unfortunately I can’t spend as much time on this as I would normally like to spend. I hope this post is at least a helpful start.
The legality of the program touches on at least five laws: the Fourth Amendment, the Pen Register statute, the Stored Communications Act, FISA, and the Communications Act.
1) The Fourth Amendment issues are straightforward. It sounds like the program involves only non-content surveillance, which means that it presumably doesn’t implicate the Fourth Amendment under Smith v. Maryland.
2) The legality of the program under FISA is somewhat similar to the legality of the NSA program we learned about a few months ago. The key question is, did the monitoring constitute “electronic surveillance” under FISA, and if so, does the Authorization to Use Military Force allow it? Note that FISA’s definition of “electronic surveillance” goes beyond accessing only content information and extends to some non-content information. If the program did involve “electronic surveillance” under FISA, then we’re right back to the same question that has been raised about the legality of the known NSA domestic surveillance program. If that’s right, your views of the legality of the new NSA program will pretty much coincide with your views of the legality of the NSA program disclosed a few months ago.
3) The next question is, did the monitoring violate the Pen Register statute, and in particular the prohibition of 18 U.S.C. 3121? To boil down a complex area of law into a sentence, federal surveillance law calls any means of surveilling non-content telephone or Internet information a “pen register” or “trap and trace device.” Section 3121 then bans using such a device unless the government has a court order (either through the criminal investigative authorities or national security law authorities) or an exception to the statute applies. The exceptions in the statute don’t seem applicable here: They mostly involve monitoring to provide better service for the telephone company.
The USA Today story suggests that Qwest wanted the government to obtain a court order for the monitoring, and that the government refused because they concluded that the FISA court might not grant the order. The court order they are referring to is probably the FISA pen register order. Under 50 U.S.C. 1842, the Attorney General or his designate needs to approve the request for such an order, and must certify “that the information likely to be obtained . . . is relevant to an ongoing investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.” The order would then need to be renewed every 90 days under 50 U.S.C. 1842(f).
The legal threshold for a FISA pen register order is low: relevance to an ongoing investigation is a pretty easy standard to satisfy. At the same time, obtaining an order for this kind of monitoring would raise an issue that I have wondered about but I don’t think I know how to answer: Does FISA’s pen/trap authority in 50 U.S.C. 1842 permit the government to conduct massive-scale monitoring, or must monitoring be limited to a specific set of persons or accounts? When the USA Today story says that the government didn’t think the order would be granted by the FISA court, I gather they are saying that the FISA court judges didn’t think the FISA pen/trap authority permitted such massive scale monitoring. That sounds like a sensible conclusion: I would guess that the FISA judges wouldn’t interpret the FSIA pen/trap authority as permitting such massive scale monitoring (in that it trumps the need for any individual orders, which would be odd).
4) The next possible statute is the Stored Communications Act (SCA), and in particular the prohibition on disclosing records relating to wire communications to a government entity found in 18 U.S.C. 2702(a)(3). It’s not clear to me that the SCA applies: the SCA was designed to deal with one-time disclosure of stored communications and records, not real-time collection and repeated disclosure. At the same time, the statute doesn’t have an explicit exception for real time collection, so it’s at least plausible that it does apply. If it applies, disclosure is permitted only if an exception to the statute covers this. I don’t think that any of the exceptions apply, though: the emergency exception of 18 U.S.C. 2702(c)(4) seens to be the closest, but this doesn’t sound like there was an “immediate danger” here. This was an ongoing program, not a program responding to a sudden emergency.
5) A fifth possible statute, and one mentioned in the USA Today story, is the Communications Act of 1934, 47 U.S.C. 222. I have generally thought that the statutes discussed above trump this statute, but the USA Today story mentions it. In any event, I don’t know much about this one, as it’s a telecom statute and I don’t normally play in that sandbox. So I’ll punt on this one for now.
To summarize, my very preliminary sense is that there are no Fourth Amendment issues here but a number of statutory problems under statutes such as FISA and the pen register statute. Of course, all of the statutory questions are subject to the possible argument that Article II trumps those statutes. As I have mentioned before, I don’t see the support for the strong Article II argument in existing caselaw, but there is a good chance that the Administration’s legal argument in support of the new law will rely on it.
(cross posted at The Volokh Conspiracy)