We now have a slightly better idea of the factual and legal issues surrounding the newly-disclosed NSA Call Records program, and I thought I would offer a second analysis that is more focused and more factually informed than the one I posted this morning. My still-very-tentative bottom line: The companies were probably violating the Stored Communications Act by disclosing the records to the NSA before the Patriot Act renewal in March 2006, although the new language in the Patriot Act renewal at least arguably made it more likely that the disclosure was legal under the emergency exception.
First, let’s update the facts. It now looks relatively clear that the NSA was not directing the telephone companies to conduct any particular monitoring on the NSA’s behalf. Rather, NSA officials were persuading the telephone companies to voluntarily disclose their call records to the government. In other words, the government wasn’t actually doing the monitoring, but instead was encouraging the telephone companies to disclose call records to them that the telephone companies already had collected.
In light of those apparent facts, the key issue to me becomes whether the disclosures were permitted under the Stored Communications Act, and specificially 18 U.S.C. 2702. (For a “user’s guide” to the Stored Communications Act, see here). Telephone companies are providers of “electronic communications service to the public” under the Act, and the Act regulates when providers can disclose non-content records of account information to the government. The ban is in Section 2702(a)(3):
[A] provider of . . . electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications . . . ) to any governmental entity.
Of the possible exceptions to the statute, three are most likely to be relevant. They permit disclosure under the circumstances listed in 18 U.S.C. 2702(c), as amended by the Patriot Act renewal of 2006:
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency[.]
(Note that the link to the Cornell site’s text of 2702 does not have the latest version of the exceptions, as it was last updated in the fall of 2005 and the exceptions were amended in March 2006. I was unable to find the new version on a website, and ended up taking it from Westlaw.).
Let’s take each of these exceptions in turn.
(1) The first exception permits disclosure if the subscriber consents. There are no cases interpreting eactly what consent means in 2702(c)(2), but like many of the exceptions in the SCA it is clearly a copy of an analogous exception in the close cousin of the SCA, the federal Wiretap Act, 18 U.S.C. 2510-22. We do have lots of cases on what consent means in the context of the Wiretap Act, so those cases presumably create the applicable standard here. The basic rule: Consent means that the user actually agreed to the action, either explicitly or implicitly based on the user’s decision to proceed in light of actual notice. Here’s what the First Circuit said on this in United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 1995):
Keeping in mind that implied consent is not constructive consent but ‘consent in fact,’ consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance from surrounding circumstances that the party knowingly agreed to the surveillance. We emphasize that consent should not casually be inferred, particularly in a case of deficient notice. The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.
Did users consent to the disclosure under this standard? The Washington Post reports that government lawyers seemed to think so, based on small print in the Terms of Service of the telephone service customer agreements:
One government lawyer who has participated in negotiations with telecommunications providers said the Bush administration has argued that a company can turn over its entire database of customer records — and even the stored content of calls and e-mails — because customers “have consented to that” when they establish accounts. The fine print of many telephone and Internet service contracts includes catchall provisions, the lawyer said, authorizing the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request. . . . Verizon’s customer agreement, for example, acknowledges the company’s ‘duty under federal law to protect the confidentiality of information about the quantity, technical configuration, type, destination, and amount of your use of our service,’ but it provides for exceptions to ‘protect the safety of customers, employees or property.’ Verizon will disclose confidential records, it says, “as required by law, legal process, or exigent circumstances.”
This seems like a very unpersuasive argument in light of the cases construing consent under the Wiretap Act, of which the consent provision in the SCA is a mirror. It reminds me of the argument that a DOJ lawyer once tried to make that monitoring prison phones was allowed because language in the Code of Federal Regulations clearly notified prisoners that their phones would be monitored. According to the lawyer, the notice in the fine print of the CFR was sufficient to make the monitoring consensual. Judge Posner rejected the argument, calling it “the kind of argument that makes lawyers figures of fun to the lay community.” United States v. Daniels, 902 F.2d 1238 (7th Cir. 1990). In light of these cases, I think the consent argument is weak. (Incidentally, if you look up Daniels, note that Posner incorrectly states later in the opinion that the Second Circuit accepted such a weak notice argument. If you read the Second Circuit case, it is clear that the CA2 did no such thing and that Posner was just being sloppy.)
(2) The next possible exception is disclosure “as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service.” This is known as the provider exception, and is also a copy of an analogous exception from the Wiretap Act, 18 U.S.C. 2511(2)(a)(i). You can read all about this exception here: basically, it gives providers rights to disclose information to the government to help the providers combat illegal service and unauthorized use of the network. It seems pretty clear that this doesn’t apply: The cases make clear that the provider exception exists to further provider interests, not government interests.
(3) The third and final exception is the emergency exception, which permits providers to disclose “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” At the outset, it’s worth noticing something very interesting about this language: It is almost brand spanking new. The language that passed as part of the Patriot Act in 2001 allowed disclosure only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don’t know of a reason to think that they had a reasonable belief of “immediate” danger. If this was a program ongoing for several years, then it’s hard to say that there was a continuing reasonable belief of immediate danger over that entire time.
As noted above, though, the Patriot Act renewal passed in March 2006 changed this language. And it did so in a way with potentially important implications for the legality of the NSA call records program. The new exception states that disclosure is permitted “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” Few people were paying attention to this change at the time, but I would guess that it was very important to the telephone companies: The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an “immediate” danger. I wouldn’t be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program. (Or perhaps not, come to think of it: Does the new language suggest that the information disclosed needs to relate to the emergency to be covered? What if the provider doesn’t know what information relates to the emergency?)
More tomorrow, I hope.
(cross posted at The Volokh Conspiracy)